Apple, IBM, Oracle Among Enterprises That Fail Social Engineering Test

DefCon attendees participated in a social engineering penetration test against 14 major companies, which handed up information with minimal to no resistance.

Some
of the biggest companies-including Apple, IBM and AT&T-were easily tricked
into giving up potentially sensitive information during a contest that featured
a variety of social engineering attacks.
The
"Social Engineering Capture the Flag" contest targeted 14 companies
in five industries-retail, airlines, food service, technology and mobile
services-during the DefCon conference in Las Vegas in August.

Contestants
tried to ferret information out of employees at Apple, AT&T, Conagra Foods,
Dell, Delta Airlines, IBM, McDonald's, Oracle, Symantec, Sysco Foods, Target,
United Airlines, Verizon and Walmart using social engineering techniques,
according to a postmortem report released by Social-Engineer.org Oct. 31.

Contestants
had to obtain certain types of information, or "flags," from various
companies during a 25-minute time period. There were more than 60 flags,
representing nonsensitive data, but still information about the companies'
inner workings, such as names of the food service providers in the company
cafeteria, antivirus programs deployed and the browser version being used.
None
of the 14 companies succeeded in keeping the information away from the
attackers, according to the report. Only three employees offered any type of
resistance, the report found.
"Many
companies have the mentality of, 'It won't happen to us,' or 'Our people won't
fall for that.' The sad truth is, those are the very people that will and do
fall victim to these attacks, as demonstrated by the contest," said Chris
Hadnagy of Social-Engineer.org, who organized the contest.
Of
the firms tested, AT&T received the highest overall score and Oracle
received the lowest. However, in a real-world situation, both companies would
have failed the social engineering penetration test for giving up any
information in the first place, the report said.
Contestants
had two weeks to gather information and research their assigned target using
passive information-gathering methods, such as Google searches and looking at
social networks and Websites. The contestants compiled their data in a dossier,
turned in prior to the conference, which was used to calculate part of the
overall score for each contest participant. At DefCon, the contestants sat in a
soundproof booth and were allowed to directly contact the company; they were
given 25 minutes to collect as much information as possible.